CN110941825A - Application monitoring method and device - Google Patents
Application monitoring method and device Download PDFInfo
- Publication number
- CN110941825A CN110941825A CN201911285295.0A CN201911285295A CN110941825A CN 110941825 A CN110941825 A CN 110941825A CN 201911285295 A CN201911285295 A CN 201911285295A CN 110941825 A CN110941825 A CN 110941825A
- Authority
- CN
- China
- Prior art keywords
- target application
- trusted
- application
- content
- standard
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The present specification discloses an application monitoring method and apparatus, which execute the following operations in a trusted execution environment for any target application to be monitored that needs to maintain an operating state: acquiring an application process list currently operated by target equipment; acquiring a standard process name of the target application from a preset trusted storage area; judging whether the acquired application process list contains the standard process name of the target application; and determining that the target application is abnormal under the condition that the judgment result is negative. By the aid of the scheme, whether the target application is abnormal or not can be monitored, the target application cannot execute corresponding operation, and private data in the target application can be prevented from being tampered.
Description
Technical Field
The embodiment of the specification relates to the technical field of network security, in particular to an application monitoring method and device.
Background
Currently, there are some applications on a device that need to remain running while the device is running. For example, in order to protect data security, security applications for performing security operations, such as applications for checking and killing viruses or monitoring internet behavior, exist on a device, and processes corresponding to these security applications need to maintain a running state when the device is running, so as to monitor a device state and feed back information in real time.
However, an attacker may stop a process corresponding to an application that needs to maintain a running state through some bugs, so that the application cannot perform corresponding operations.
Disclosure of Invention
In order to prevent an application that needs to maintain a running state from being unable to execute a corresponding operation, the present specification discloses an application monitoring method and apparatus. The technical scheme is as follows:
an application monitoring method is used for executing the following operations in a trusted execution environment aiming at any target application to be monitored, wherein the target application needs to be kept in a running state:
acquiring an application process list currently operated by target equipment; and
acquiring a standard process name of the target application from a preset trusted storage area;
judging whether the acquired application process list contains the standard process name of the target application;
and under the condition that the judgment result is negative, determining that the target application is abnormal.
An application monitoring apparatus, the apparatus comprising each functional unit for executing, in a trusted execution environment, for any target application to be monitored that needs to maintain a running state:
the device comprises:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an application process list currently operated by target equipment; and
acquiring a standard process name of the target application from a preset trusted storage area;
the judging unit is used for judging whether the acquired application process list contains the standard process name of the target application or not, and determining that the target application is abnormal under the condition that the judgment result is negative;
and storing the standard process name of each application to be monitored, which needs to keep the running state, in the preset trusted storage area in advance.
According to the scheme, whether the process name corresponding to each application to be monitored is contained in all the process lists on the equipment is monitored in the trusted execution environment of the equipment, so that whether the process corresponding to each application to be monitored is stopped or not is judged. Because the content in the trusted execution environment cannot be accessed or tampered by the untrusted process, and an attacker cannot invade the trusted execution environment, whether the process corresponding to each application to be monitored is stopped can be accurately judged by the scheme. By the scheme, when an attacker stops the process corresponding to the application needing to be kept in the running state, the attacker can directly find that the process is stopped, and therefore corresponding measures are taken to prevent the application from being incapable of executing corresponding operations.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic structural diagram of a device including a trusted execution environment according to an embodiment of the present specification;
fig. 2 is a schematic flowchart of an application monitoring method provided in an embodiment of the present specification;
FIG. 3 is a schematic diagram illustrating a method for updating a trusted memory area according to an embodiment of the present disclosure;
FIG. 4 is a flow chart illustrating another application monitoring method provided in an embodiment of the present disclosure;
FIG. 5 is a flow chart illustrating another application monitoring method provided in an embodiment of the present disclosure;
FIG. 6 is a schematic diagram illustrating an application monitoring method according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an application monitoring apparatus provided in an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of another application monitoring device provided in an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of another application monitoring device provided in an embodiment of the present specification;
fig. 10 is a schematic structural diagram of an apparatus for configuring a method according to an embodiment of the present disclosure.
Detailed Description
Currently, there are some applications on a device that need to remain running while the device is running.
For example, to secure data, especially private data, a security application may be installed on the device for performing security operations, such as virus killing or monitoring internet behavior, and preventing external and internal attackers from attacking the data. The processes corresponding to these security applications need to maintain the running state when the device runs, so as to monitor the device state and feed back information in real time, thereby protecting the data on the device.
However, an attacker may stop a process corresponding to an application that needs to maintain a running state through some bugs, so that the application cannot perform corresponding operations.
For example, an external attacker attacks a security application process for virus killing through a trojan program and stops the security application process, so that the device cannot kill viruses, and data on the device may be attacked; or the internal attacker forcibly stops the security application process for monitoring the internet access behavior through a program set by the attack authority, so that the internet access behavior of the device is not monitored, and data on the device can be attacked.
According to the technical scheme provided by the specification, in order to prevent the above situation, a monitoring program can be used for monitoring the process of each application needing to keep the running state on the device, and checking whether the process is stopped or not in real time or periodically. However, the monitor program may be attacked by an attacker to modify or stop the corresponding process, so that the monitor program cannot perform the monitoring operation.
To solve the above technical problem, a trusted execution environment may be utilized to protect a device from being attacked by an attacker.
First, a technique related to a Trusted Execution Environment (TEE) will be described: the trusted execution environment may guarantee the security, confidentiality, and integrity of code and data loaded inside the environment. The trusted execution environment provides an isolated execution environment, the security features provided comprising: isolated execution, integrity of trusted applications, confidentiality of trusted data, secure storage, and the like. In general, a trusted execution environment may provide a higher level of security than an operating system. The current application scenario of trusted execution environments has not been limited to the mobile domain. Common trusted execution environment implementations include AMD's PSP (platform Security processor), ARM's TrustZone, Intel's SGX (software Guard extensions), and so on.
In particular, for a device configured with a trusted execution environment, the content in the trusted execution environment may include code and data, and the trusted execution environment can prevent, at a hardware level, an untrusted process from accessing or modifying the content in the trusted execution environment, thereby greatly reducing a vulnerability that may be breached by the untrusted process, that is, it is difficult for an attacker to access or modify the content in the trusted execution environment. The code in the trusted execution environment can also run in the trusted execution environment, and can access other data and perform calculation to obtain a calculation result, so that the code in the security area can be safely executed and cannot be attacked.
According to the characteristics of the trusted execution environment, data needing to be protected on the device can be directly placed in the trusted execution environment, or the application needing to be kept in the running state on the device can be directly placed in the trusted execution environment to run, so that the application is guaranteed against being tampered and accessed by an attacker at will. However, because the trusted execution environment has a small memory, all data or more applications on the device cannot be placed in the trusted execution environment.
According to the situation, the technical scheme provided by the specification is as follows: the monitoring program can be placed in the trusted execution environment for execution, so that the monitoring program cannot be tampered and accessed by an attacker, and the process corresponding to the monitoring program cannot be stopped by the attacker, so that the monitoring result obtained by the monitoring program executed in the trusted execution environment is correct, and the monitoring operation can be executed in a protected environment. It can be seen that the essence of the above-mentioned solution is based on the characteristics of the trusted execution environment, so that the monitor program in the trusted execution environment is not tampered, and the process corresponding to the monitor program is not stopped, so that the result of the monitor program is trusted.
When an attacker stops a process corresponding to an application needing to keep a running state, the monitoring program which is being executed in the trusted execution environment can directly find that the process is stopped, so that corresponding measures are taken to prevent the application from being incapable of executing corresponding operations.
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
As shown in fig. 1, a schematic structural diagram of a device including a trusted execution environment is provided for an embodiment of the present specification. For the sake of distinction, the device is subsequently referred to as a target device, on which the trusted execution environment and the at least one application may be contained.
Some applications exist in the applications, which need to be kept in a running state when the device runs, that is, the process is located in a process list, for example, a security application, and each application which needs to be kept in the running state is determined as a target application to be monitored. In order to prevent the target application from stopping running, a program for performing monitoring operation may be run in the trusted execution environment, and the program may compare a process list of the application currently running on the device with a standard process name of the target application, where the process list includes a process name corresponding to each running application on the device. And if the process list does not have the standard process name, the corresponding target application process is considered to stop, and the target application does not keep the running state.
The standard process name can be an accurate name corresponding to a process created during application runtime; one application runtime can create multiple processes, i.e., each target application can correspond to at least one process and can correspond to at least one standard process name.
Since the attacker may not stop the process but rather tamper with the private data of the target application, i.e. with the content of the target application, e.g. tamper with the code of the target application. Therefore, in order to prevent an attacker from tampering the target application content, the program in the trusted execution environment may also compare the current content characteristics and the standard content characteristics of the running application, and if the current content characteristics are different from the standard content characteristics, the corresponding application content is tampered.
The standard content features refer to features corresponding to accurate content which is not tampered by the target application; the content features are obtained by extracting features corresponding to the content according to a preset feature extraction algorithm. The "feature" herein refers to a kind of information capable of uniquely identifying "content", and can be obtained by using a preset feature extraction algorithm (e.g., a digest algorithm, etc.) for the "content". I.e. the content features uniquely correspond to the content.
According to the scheme provided by the specification, a trusted storage area can be configured, and the trusted storage area can be used for storing the standard process name of each target application and can also be used for storing the standard content characteristics of each target application. The trusted memory region is trusted by the device. The trusted memory region may be located within the trusted execution environment or may be a trusted memory device external to the device in which the target application is located.
According to the scheme of the present specification, the trusted verification device may be further configured to verify whether the current content features of each target application are consistent with the standard content features, that is, to verify whether the content of each target application is tampered. The trusted verification device is trusted by the device where the target application is located, and at least the standard content features of each target application are stored. The trusted storage device and the trusted verification device may be the same physical device or different physical devices.
Fig. 2 is a schematic flow chart of an application monitoring method provided in an embodiment of the present disclosure. The method can execute operation in a trusted execution environment aiming at any target application to be monitored on the equipment, wherein the target application needs to keep a running state. Wherein the method is executable by a program running in a trusted execution environment. The method may comprise the steps of:
s101: and acquiring an application process list currently operated by the target equipment.
A program running in the trusted execution environment may obtain a list of application processes currently running on the device where the program is located, where the list includes a process name corresponding to each running application on the device.
S102: and acquiring the standard process name of the target application from a preset trusted storage area.
The method includes that a standard process name of a target application to be monitored, which needs to keep an operating state, on a device is acquired from a preset trusted storage area, wherein the preset trusted storage area can store the standard process name of each target application which needs to keep the operating state.
The preset trusted storage area may be a trusted storage device other than the target device, or may be the trusted execution environment. That is, the standard process name of each target application that needs to maintain the running state may be stored in the trusted execution environment of the current device, or may be stored in a trusted storage device outside the current device, where the trusted storage device may be a storage device trusted by the current device, such as a server or other computing device.
When the preset trusted storage area is a trusted storage device other than the target device, the program running in the trusted execution environment may receive a standard process name of a target application that needs to be kept in a running state and is sent by the trusted storage device.
When the preset trusted storage area is the trusted execution environment, the program running in the trusted execution environment can directly acquire the standard process name of the target application needing to keep the running state from the environment.
For an application, there may be a case of version upgrade update, and a standard process name corresponding to the application may change after the update, so that the stored standard process name needs to be updated in a preset trusted storage area.
And after monitoring that the target application needing to be kept in the running state is updated, the preset trusted storage area receives a new standard process name of the updated target application, and replaces the standard process name of the originally stored target application with the received new standard process name. The new standard process name may be sent to a preset trusted storage area by a device that initiates application update, or sent to a preset trusted storage area by a storage device that stores the new standard process name.
When the preset trusted storage area is the trusted execution environment, as shown in fig. 3, for a schematic diagram of a principle of an update method of the trusted storage area provided in this embodiment, after the target application is updated, a program running in the trusted execution environment may receive a new standard process name of the updated target application, and replace the standard process name of the target application originally stored in the trusted execution environment with the received new standard process name. The trusted storage device may send the new standard process name to the trusted execution environment, and the trusted storage device stores the standard process name of the latest version of each target application that needs to be kept in the running state.
S103: and judging whether the acquired application process list contains the standard process name of the target application, and determining that the target application is abnormal under the condition that the judgment result is negative.
And searching the standard process name of the target application in the acquired application process list by the program running in the trusted execution environment. Where the standard process name of the target application may be more than one. If all the standard process names of the target application can be found, determining that the process of the target application is normally operated, and the target application is normal; if any standard process name of the target application cannot be found, determining that at least one process of the target application does not normally run, and determining that the target application is abnormal.
After determining the result of the target application, the result may be sent to a management device, for example, a server or other form of management device that manages the device where the target application is located, and corresponding operation is performed on the result of the target application.
The above steps may be performed by monitoring whether the target application is running through a program running in the trusted execution environment, thereby determining whether there is an exception to the target application. In another embodiment provided in this specification, it may also be determined whether the target application has an exception by monitoring whether the content in the target application is tampered.
Fig. 4 is a schematic flow chart of another application monitoring method provided in the embodiments of the present disclosure.
S201: and acquiring the current content of the target application, and extracting the current feature corresponding to the current content according to a preset feature extraction algorithm.
The program running in the trusted execution environment may obtain the current content of the target application from a specified storage location, where the content at least includes an operation code of the target application, and extract a current feature corresponding to the current content according to a preset feature extraction algorithm. The features extracted according to the preset feature extraction algorithm are uniquely corresponding to the content, and the preset feature extraction algorithm can be a hash algorithm or a digest algorithm and the like.
S202: and acquiring the standard content characteristics of the target application from a preset trusted storage area.
The preset trusted storage area can store standard content characteristics of each target application which needs to keep a running state. The preset feature extraction algorithm used for extracting the standard content features is consistent with the algorithm for extracting the current features.
The relevant situation of the preset trusted memory area has already been explained in S101, and is not described here again.
When the preset trusted storage area is a trusted storage device outside the target device, the program running in the trusted execution environment may receive standard content features of the target application, which are sent by the trusted storage device and need to maintain the running state.
When the preset trusted storage area is the trusted execution environment, the program running in the trusted execution environment can directly acquire the standard content features of the target application which needs to keep the running state from the environment.
For an application, there may be a case of version upgrade update, and after the update, the standard content feature corresponding to the application may change, so that the stored standard content feature needs to be updated in the preset trusted storage area.
And after monitoring that the target application needing to be kept in the running state is updated, the preset trusted storage area receives new standard content characteristics of the updated target application, and replaces the standard content characteristics of the originally stored target application with the received new standard content characteristics. The new standard content features may be sent to a preset trusted storage area by a device that initiates application update, or sent to a preset trusted storage area by a storage device that stores the new standard content features.
When the preset trusted storage area is the trusted execution environment, after the target application is updated, the program running in the trusted execution environment can receive the updated new standard content features of the target application, and the standard content features of the target application originally stored in the trusted execution environment are replaced by the received new standard content features. Wherein the trusted storage device may send the new standard content features to the trusted execution environment, and the trusted storage device stores the latest version of the standard content features of each target application that needs to be kept in an operating state.
S203: and judging whether the extracted current features are consistent with the standard content features of the target application or not, and determining that the target application is abnormal under the condition that the judgment result is negative.
And comparing the extracted current features with the standard content features of the target application, and judging whether the current features are consistent with the standard content features of the target application. If the current content of the target application is consistent with the accurate content which is not tampered, namely the target application is not tampered and is normal; and if the data are inconsistent, the target application is tampered, and the target application is abnormal.
Specifically, the determination result may be sent to a management device, such as a server or a computer of a device where the management target application is located, so that the management device performs a corresponding operation according to the determination result.
In another embodiment provided in this specification, a trusted verification device, such as a server, other than the device where the target application is located, may be further configured to verify whether the current content features of each target application are consistent with the standard content features, and verify whether the content in the target application is tampered with by using the trusted verification device, so as to determine whether the target application is abnormal. The trusted verification device stores in advance the standard content features of each target application to be monitored that needs to be kept in an operating state, and the standard content features are updated as described in S202.
Fig. 5 is a schematic flow chart of another application monitoring method provided in the embodiments of the present disclosure.
S301: and acquiring the current content of the target application, and extracting the current feature corresponding to the current content according to a preset feature extraction algorithm.
This step is the same as S201 and is not described here.
S302: and sending the extracted current characteristics to the trusted verification device.
And after the extracted current feature is sent to a credible verification device, the credible verification device judges whether the extracted current feature is consistent with the standard content feature of the target application, and under the condition that the judgment result is negative, the target application is determined to be abnormal.
Fig. 6 is a schematic diagram illustrating a principle of an application monitoring method according to this embodiment. The device where the target application is located utilizes the trusted verification device to help monitor whether the content of the target application is tampered.
Through steps S201 to S203 or steps S301 to S302, the application content that needs to be kept in the running state can be monitored through the program running in the trusted execution environment, so as to prevent an attacker from tampering with the content of the target application.
The above provides 3 technical solutions for monitoring the target application, where S101 to S103 determine whether there is an abnormal target application by comparing process names. S201 to S203 and S301 to S302 are to determine whether there is an abnormal target application by comparing the content characteristics of the applications. The above 3 schemes can be executed independently or in combination. For example, when it is determined whether there is an abnormal target application by comparing the process names and it is determined whether there is an abnormal target application by comparing the content characteristics of the applications, that is, when the target application which has been tampered with the content and still remains in a running state is monitored, even if it cannot be determined that the target application is abnormal through S101 to S103, it can be determined that the target application is abnormal through S201 to S203.
In the embodiment, whether the process corresponding to each target application to be monitored is stopped or not is judged by monitoring whether the process name corresponding to each target application to be monitored is contained in all the process lists on the device in a trusted execution environment of the device; and whether the content corresponding to each target application to be monitored is tampered is judged by monitoring whether the content corresponding to each target application to be monitored is consistent with the accurate content which is not tampered.
Because the content in the trusted execution environment cannot be accessed or tampered by the untrusted process, and an attacker cannot invade the trusted execution environment to tamper with or stop the process of the program running in the trusted execution environment, the result obtained by the running of the program is certain to be trusted. Therefore, whether the process corresponding to each target application to be monitored is stopped or not, or whether the content of each target application is tampered or not, namely whether the private data of each target application is tampered or not, can be accurately judged through the technical scheme provided by the specification.
By using the technical scheme provided by the specification, when an attacker stops the process of the application needing to be kept in the running state, the attacker can directly find that the process is stopped, so that corresponding measures are taken to prevent the application from being incapable of executing corresponding operations; or when an attacker tampers with the content of the target application which needs to run correctly, the attacker can directly discover that the content is tampered, so that corresponding measures are taken to prevent the content of the application from being tampered, namely, private data of the application from being tampered.
The present specification further provides an embodiment of an apparatus, and as shown in fig. 7, a schematic structural diagram of an application monitoring apparatus provided in the embodiment of the present specification is provided. The device is used for executing operation in the trusted execution environment aiming at any target application to be monitored, wherein the target application needs to keep a running state. The device comprises:
a process list acquiring unit 401, configured to acquire an application process list currently running on a target device;
a standard process name obtaining unit 402, configured to obtain a standard process name of the target application from a preset trusted storage area;
a first exception determining unit 403, configured to determine whether the acquired application process list includes a standard process name of the target application, and if the determination result is negative, determine that the target application is an exception.
In order to monitor that the content in the target application is not tampered, as shown in fig. 8, a schematic structural diagram of another application monitoring apparatus provided for the embodiment of the present specification is further provided, where the apparatus further includes:
a feature extraction unit 501, configured to obtain current content of the target application, where the content at least includes an operation code of the target application; extracting current characteristics corresponding to the current content according to a preset characteristic extraction algorithm;
a standard feature obtaining unit 502, configured to obtain a standard content feature of the target application from a preset trusted storage area;
the standard feature obtaining unit may be specifically configured to: and when the target application is determined to be updated, receiving new standard content characteristics of the updated target application so as to update the standard content characteristics stored in the trusted storage area according to the new standard content characteristics.
A second anomaly determination unit 503, configured to determine whether the extracted current feature matches the standard content feature of the target application, and if the determination result is no, determine that the target application is anomalous.
The preset trusted storage area in the two apparatus embodiments may specifically be a trusted storage device outside the target device or the trusted execution environment.
Moreover, the standard process name obtaining units in the two device embodiments may be specifically configured to: and when the target application is determined to be updated, receiving a new standard process name of the updated target application so as to update the standard process name stored in the trusted storage area according to the new standard process name.
In order to monitor that content in a target application is not tampered, the present specification further provides an embodiment of an apparatus, and as shown in fig. 9, a schematic structural diagram of another application monitoring apparatus provided for this embodiment is provided, where the apparatus further includes:
a feature extraction unit 501, configured to obtain current content of the target application, where the content at least includes an operation code of the target application; extracting current characteristics corresponding to the current content according to a preset characteristic extraction algorithm;
a feature sending unit 504, configured to send the extracted current feature to a preset trusted verification device, so that the trusted verification device determines whether the extracted current feature is consistent with a standard content feature of the target application, and determines that the target application is abnormal if the determination result is negative.
The preset trusted verification device is in communication connection with the apparatus and can be used for verifying whether the current content characteristics of each target application are consistent with the standard content characteristics, namely, verifying whether the content of each target application is tampered. The trusted verification device stores standard content characteristics of the application to be monitored in advance.
Embodiments of the present specification also provide a computer device, which at least includes a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements an application monitoring method when executing the program.
Fig. 10 illustrates a more specific implementation of an application monitoring method provided by an embodiment of this specification, where the apparatus may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present description also provide a computer-readable storage medium on which a computer program is stored, which when executed by a processor implements an application monitoring method.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a detailed description of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, many modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as protection for the embodiments of the present disclosure.
Claims (13)
1. An application monitoring method is used for executing the following operations in a trusted execution environment aiming at any target application to be monitored, wherein the target application needs to be kept in a running state:
acquiring an application process list currently operated by target equipment; and
acquiring a standard process name of the target application from a preset trusted storage area;
judging whether the acquired application process list contains the standard process name of the target application;
and determining that the target application is abnormal under the condition that the judgment result is negative.
2. The method of claim 1, further comprising:
acquiring the current content of the target application, wherein the content at least comprises an operation code of the target application; extracting current characteristics corresponding to the current content according to a preset characteristic extraction algorithm;
acquiring standard content characteristics of the target application from a preset trusted storage area;
and judging whether the extracted current features are consistent with the standard content features of the target application or not, and determining that the target application is abnormal under the condition that the judgment result is negative.
3. The method according to claim 1 or 2, wherein the predetermined trusted storage area is specifically:
a trusted storage device external to the target device;
or
The trusted execution environment.
4. The method of claim 1, configuring a trusted verification device, wherein standard content characteristics of an application to be monitored are pre-stored in the trusted verification device;
the method further comprises the following steps:
acquiring the current content of the target application, wherein the content at least comprises an operation code of the target application; extracting current characteristics corresponding to the current content according to a preset characteristic extraction algorithm;
and sending the extracted current feature to the trusted verification device so that the trusted verification device judges whether the extracted current feature is consistent with the standard content feature of the target application, and if not, determining that the target application is abnormal.
5. The method of claim 2, the predetermined trusted storage area being the trusted execution environment;
the standard content characteristics stored in the preset trusted storage area are updated in the following way:
and when the target application is determined to be updated, receiving new standard content characteristics of the updated target application so as to update the standard content characteristics stored in the trusted storage area according to the new standard content characteristics.
6. The method of claim 3, the predetermined trusted storage area being the trusted execution environment;
and updating the standard process name stored in the preset trusted storage area by the following method:
and when the target application is determined to be updated, receiving a new standard process name of the updated target application so as to update the standard process name stored in the trusted storage area according to the new standard process name.
7. An application monitoring apparatus, which is used for executing the following operations in a trusted execution environment for any target application to be monitored, which needs to keep a running state:
the device comprises:
the process list acquiring unit is used for acquiring an application process list currently operated by the target equipment;
the standard process name acquisition unit is used for acquiring the standard process name of the target application from a preset trusted storage area;
and the first abnormity determining unit is used for judging whether the acquired application process list contains the standard process name of the target application or not, and determining that the target application is abnormal under the condition that the judgment result is negative.
8. The apparatus of claim 7, further comprising:
the characteristic extraction unit is used for acquiring the current content of the target application, and the content at least comprises an operation code of the target application; extracting current characteristics corresponding to the current content according to a preset characteristic extraction algorithm;
the standard characteristic acquisition unit is used for acquiring the standard content characteristics of the target application from a preset trusted storage area;
and the second abnormity determining unit is used for judging whether the extracted current characteristic is consistent with the standard content characteristic of the target application or not, and determining that the target application is abnormal under the condition that the judgment result is negative.
9. The apparatus according to claim 7 or 8, wherein the predetermined trusted storage area is specifically:
a trusted storage device external to the target device;
or
The trusted execution environment.
10. The apparatus of claim 7, further comprising:
the characteristic extraction unit is used for acquiring the current content of the target application, and the content at least comprises an operation code of the target application; extracting current characteristics corresponding to the current content according to a preset characteristic extraction algorithm;
the characteristic sending unit is used for sending the extracted current characteristic to a preset credible verification device so that the credible verification device can judge whether the extracted current characteristic is consistent with the standard content characteristic of the target application or not, and under the condition that the judgment result is negative, the target application is determined to be abnormal;
the preset trusted verification equipment is in communication connection with the device, and standard content features of the application to be monitored are stored in the trusted verification equipment in advance.
11. The apparatus of claim 8, the predetermined trusted storage area being the trusted execution environment; the standard feature obtaining unit is specifically configured to:
and when the target application is determined to be updated, receiving new standard content characteristics of the updated target application so as to update the standard content characteristics stored in the trusted storage area according to the new standard content characteristics.
12. The apparatus of claim 9, the predetermined trusted storage area being the trusted execution environment; the standard process name obtaining unit is specifically configured to:
and when the target application is determined to be updated, receiving a new standard process name of the updated target application so as to update the standard process name stored in the trusted storage area according to the new standard process name.
13. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 6 when executing the program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911285295.0A CN110941825B (en) | 2019-12-13 | 2019-12-13 | Application monitoring method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911285295.0A CN110941825B (en) | 2019-12-13 | 2019-12-13 | Application monitoring method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110941825A true CN110941825A (en) | 2020-03-31 |
CN110941825B CN110941825B (en) | 2022-05-27 |
Family
ID=69911248
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911285295.0A Active CN110941825B (en) | 2019-12-13 | 2019-12-13 | Application monitoring method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110941825B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112035829A (en) * | 2020-07-27 | 2020-12-04 | 国家广播电视总局广播电视科学研究院 | Television terminal application control method, device, system, equipment and storage medium |
CN112182508A (en) * | 2020-09-16 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Abnormity monitoring method and device for compliance business indexes |
CN112181731A (en) * | 2020-10-26 | 2021-01-05 | 江苏特思达电子科技股份有限公司 | Keep-alive method and device for application program and computer equipment |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1904852A (en) * | 2006-08-01 | 2007-01-31 | 西安西电捷通无线网络通信有限公司 | Method for monitoring and abnormal processing of computer application program |
CN102193825A (en) * | 2011-04-26 | 2011-09-21 | 北京思创银联科技股份有限公司 | Process protection method |
WO2013123563A1 (en) * | 2012-02-24 | 2013-08-29 | Remasys Pty Ltd | Router-based end-user performance monitoring |
CN103383689A (en) * | 2012-05-03 | 2013-11-06 | 阿里巴巴集团控股有限公司 | Service process fault detection method, device and service node |
CN103440189A (en) * | 2013-08-13 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Software deadlock prevention method based on forced process running control |
CN104077244A (en) * | 2014-07-20 | 2014-10-01 | 湖南蓝途方鼎科技有限公司 | Process isolation and encryption mechanism based security disc model and generation method thereof |
CN104125216A (en) * | 2014-06-30 | 2014-10-29 | 华为技术有限公司 | Method, system and terminal capable of improving safety of trusted execution environment |
CN104199772A (en) * | 2014-09-02 | 2014-12-10 | 浪潮(北京)电子信息产业有限公司 | Progress supervising method and device |
CN104778141A (en) * | 2015-02-10 | 2015-07-15 | 浙江大学 | Control system trusted architecture-based TPCM (Trusted Platform Control Module) and trusted detection technology |
CN106296359A (en) * | 2016-08-13 | 2017-01-04 | 深圳市樊溪电子有限公司 | Credible electric power networks transaction platform based on block chain technology |
US20180107826A1 (en) * | 2016-10-18 | 2018-04-19 | Qualcomm Incorporated | Techniques for trusted application fuzzing mitigation |
CN108280346A (en) * | 2017-01-05 | 2018-07-13 | 腾讯科技(深圳)有限公司 | A kind of application protecting, monitoring method, apparatus and system |
CN108776633A (en) * | 2018-05-22 | 2018-11-09 | 深圳壹账通智能科技有限公司 | Method, terminal device and the computer readable storage medium of monitoring process operation |
CN109600392A (en) * | 2019-01-15 | 2019-04-09 | 四川虹微技术有限公司 | A kind of method and device for preventing information from distorting |
-
2019
- 2019-12-13 CN CN201911285295.0A patent/CN110941825B/en active Active
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1904852A (en) * | 2006-08-01 | 2007-01-31 | 西安西电捷通无线网络通信有限公司 | Method for monitoring and abnormal processing of computer application program |
CN102193825A (en) * | 2011-04-26 | 2011-09-21 | 北京思创银联科技股份有限公司 | Process protection method |
WO2013123563A1 (en) * | 2012-02-24 | 2013-08-29 | Remasys Pty Ltd | Router-based end-user performance monitoring |
CN103383689A (en) * | 2012-05-03 | 2013-11-06 | 阿里巴巴集团控股有限公司 | Service process fault detection method, device and service node |
CN103440189A (en) * | 2013-08-13 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Software deadlock prevention method based on forced process running control |
CN104125216A (en) * | 2014-06-30 | 2014-10-29 | 华为技术有限公司 | Method, system and terminal capable of improving safety of trusted execution environment |
CN104077244A (en) * | 2014-07-20 | 2014-10-01 | 湖南蓝途方鼎科技有限公司 | Process isolation and encryption mechanism based security disc model and generation method thereof |
CN104199772A (en) * | 2014-09-02 | 2014-12-10 | 浪潮(北京)电子信息产业有限公司 | Progress supervising method and device |
CN104778141A (en) * | 2015-02-10 | 2015-07-15 | 浙江大学 | Control system trusted architecture-based TPCM (Trusted Platform Control Module) and trusted detection technology |
CN106296359A (en) * | 2016-08-13 | 2017-01-04 | 深圳市樊溪电子有限公司 | Credible electric power networks transaction platform based on block chain technology |
US20180107826A1 (en) * | 2016-10-18 | 2018-04-19 | Qualcomm Incorporated | Techniques for trusted application fuzzing mitigation |
CN108280346A (en) * | 2017-01-05 | 2018-07-13 | 腾讯科技(深圳)有限公司 | A kind of application protecting, monitoring method, apparatus and system |
CN108776633A (en) * | 2018-05-22 | 2018-11-09 | 深圳壹账通智能科技有限公司 | Method, terminal device and the computer readable storage medium of monitoring process operation |
CN109600392A (en) * | 2019-01-15 | 2019-04-09 | 四川虹微技术有限公司 | A kind of method and device for preventing information from distorting |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112035829A (en) * | 2020-07-27 | 2020-12-04 | 国家广播电视总局广播电视科学研究院 | Television terminal application control method, device, system, equipment and storage medium |
CN112182508A (en) * | 2020-09-16 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Abnormity monitoring method and device for compliance business indexes |
CN112181731A (en) * | 2020-10-26 | 2021-01-05 | 江苏特思达电子科技股份有限公司 | Keep-alive method and device for application program and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
CN110941825B (en) | 2022-05-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11244044B1 (en) | Method to detect application execution hijacking using memory protection | |
US20230066210A1 (en) | Method and system for preventing and detecting security threats | |
CN110941825B (en) | Application monitoring method and device | |
EP2839406B1 (en) | Detection and prevention of installation of malicious mobile applications | |
EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
CN104751049A (en) | Application program installing method and mobile terminal | |
US20110283358A1 (en) | Method and system to detect malware that removes anti-virus file system filter driver from a device stack | |
US20230185921A1 (en) | Prioritizing vulnerabilities | |
CN110334515B (en) | Method and device for generating measurement report based on trusted computing platform | |
CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
CN110837644B (en) | System penetration testing method and device and terminal equipment | |
CN110008758B (en) | ID obtaining method and device, electronic equipment and storage medium | |
CN113591159A (en) | Credibility measurement method and credible computing node | |
US20190121985A1 (en) | Detecting vulnerabilities in applications during execution | |
JP2018509692A (en) | Selective block-based integrity protection techniques | |
US8938805B1 (en) | Detection of tampering with software installed on a processing device | |
CN109784051B (en) | Information security protection method, device and equipment | |
US20200244461A1 (en) | Data Processing Method and Apparatus | |
WO2020007249A1 (en) | Operating system security active defense method and operating system | |
CN115455414A (en) | Safety detection method and device | |
US10637877B1 (en) | Network computer security system | |
CN110362983B (en) | Method and device for ensuring consistency of dual-domain system and electronic equipment | |
JP5955165B2 (en) | Management apparatus, management method, and management program | |
US11886584B2 (en) | System and method for detecting potentially malicious changes in applications | |
EP4095727A1 (en) | System and method for detecting potentially malicious changes in applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |